Network Hardening with Bastille

network hardeningBastille is an open source program that facilitates the network hardening of a system running Linux. It performs many of the tasks discussed in previous articles on this blog such as disabling services and ports. It eases the process of hardening a Linux system, giving you the choice of what to lock down and what not to, depending on your security requirements, and bundles many of the routine tasks done to secure a Linux system into a single package.

Bastille is powerful and can save administrators time from configuring each individual file and program throughout the operating system. Bastille is a set of Perl scripts that run as an interactive program, and instead of configuring files and programs individually, in Bastille the administrator answers a series of “Yes” and “No” questions through an interactive GUI. The program automatically implements the administrator’s preferences based on their answer to the questions, thus streamlining the network hardening process.

Bastille is written specifically for Red Hat Linux and Mandrake Linux, but it can easily be modified to run on most Unixoid systems. The specific Red Hat/Mandrake content has been generalized, and now the formerly hard-coded filenames are represented as variables. These variables are set automatically at runtime. Before you install Bastille on your system, you will want to ensure your Linux version is supported by Bastille. It is known to work with Red Hat, Fedora, SUSE, Debian, Ubuntu, Gentoo, and Mandriva, as well as HP-UX.

Network Hardening with Bastille: Features

More information about each of Bastille’s features is available when the program is run, but here is an overview of the main network hardening features of the program:

  • Apply restrictive permissions on administrator utilities: This allows only the root to read and execute common admin utilities such as ifconfig, linux-conf, ping, traceroute, and runlevel. It also disables the SUID root status for these programs.
  • Disable r-protocols: The r-protocols allow users to log on to remote systems using IP-based authentication. This authentication is based on the IP address, so a hacker could easily create spoofed packets that appear to be from the authorized system.
  • Disable CTRL-ALT-DELETE rebooting: This disallows rebooting the machine by this method.
  • Optimize TCP Wrappers: This choice modifies the inetd.conf and /etc/hosts.allow file so that whenever inetd gets a request, it has to contact TCP Wrappers, which will determine if the requesting IP address is allowed to run the service.
  • Limit system resource usage: If you limit system resource usage, you improve network hardening can reduce the chances of a denial-of-service (DoS) attack. If you limit system resource usage, the following changes will occur:
    • Individual file size is limited to 40 MB.
    • Each individual user is limited to 150 processes.
    • The allowable core files number is configured to zero. Core files are used for system troubleshooting, and can be exploited by hackers if the gain control of them.
  • Restrict console access: Bastille can specify which user accounts are allowed to log on via the console.
  • Additional and remote logging: Enables the admin to add two additional logs to /var/log: /var/log/kernel (for kernel messages) and /var/log/syslog (for error and warning severity messages)
  • Process accounting setup: Allows you to log the commands of all users.
  • Deactivate NFS and Samba: NFS (Network File System) and Samba are services for accessing files from Linux systems on remote systems. Unless the firewall is configured to block the packets or the admin secures these services, Bastille recommends deactivating these services.
  • Harden Apache web server: httpd should be disabled if the service is not required. If Apache is being run, there are also ways of enabling Apache in a manner that ensures maximal network hardening.

Implementing this policy goes a long way towards achieving network hardening. In the next article, we will take a look at the process of implementing Bastille.

External Links:

The official Bastille web site

How to Harden Your Linux Server’s Security with Bastille on

Hardening your systems with Bastille Linux at

© 2013 David Zientara. All rights reserved. Privacy Policy